MO

> Garclak
> Topics
> Computer Security
> Cybercrime

Malware married to software in undetectable attack. Stealthy, Razor Thin ATM Insert Skimmers. An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety.

Replica of the Tor website used to serve malware. The increasing popularity of Tor network is attracting cyber criminals, recently the French security researcher Florent Daigniere discovered a website (torbundlebrowser.org) that is the replica of the original Tor Network but a few differences. As detailed by the computer science student Julien Voisin in a blog post, the website includes suspicious links to download the Tor software and a Bitcoin address. The layout and the content is the same of the legitimate website, except for the “Announcement” section on the right side that includes a link to download a “new release” of Tor Browser Bundle (torbrowser-install-3.6.3_en-US.exe).

Voisin has downloaded the package and has reverse-engineered its code discovering the presence of a malware with the ILSpy debugger. The student also found several encrypted payloads, the malware allows bad actors to take the control over the infected machine.
Russian PM's Twitter hacked to slap down Putin, post fake resignation. Boost IT visibility and business value The Twitter feed of the Russian prime minister was hacked on Thursday to post false claims that Dmitry Medvedev had resigned to try his hand as a freelance photographer.

The Russian-language profile, which boasts more than 2.5 million followers, was also updated with messages criticising Russia's president, Vladimir Putin. Another tweet from the compromised @MedvedevRussia account proposed "banning electricity", the BBC reports.
It’s Time for Retailers to Tell Point-of-Sale Hackers to ‘Back Off’
It’s Groundhog Day all over again for retailers, following the U.S.

Department of Homeland Security’s warning that they could, once again, be exploited by malicious actors. Less than a year after hacks of Target and Neiman Marcus caught the attention of government investigators, and the whole country, Homeland Security is again weighing in on a hack targeting retailers.
LulzSec supergrass Sabu led attacks against Turkey – report. Implementing global e-invoicing with guaranteed legal certainty Just months after reports emerged that LulzSec "kingpin" turned FBI snitch Hector Xavier Monsegur had allegedly led cyber-attacks against foreign governments while under FBI control, a "cache of sealed court documents" has provided some more startling reading.

'Up to two BEEELLION' mobes easily hacked by evil base stations. Build a business case: developing custom apps Black Hat 2014 videos The mechanisms used to update smartphone operating systems over the air are vulnerable to hijacking and abuse, researchers have claimed.

Speaking at the Black Hat conference in Las Vegas on Thursday, the infosec bods believe up to two billion handsets are at risk, and that in some cases patches for the flaw still haven't been released. Mathew Solnik and Marc Blanchou at security firm Accuvant told conference attendees that the problem lies in the Open Mobile Alliance Device Management (OMA-DM) protocol, which is used by about 100 mobile phone manufacturers to deliver software updates and perform network administration. They found that, to access handsets remotely, the attacker needs to know the handset's unique International Mobile Station Equipment Identity (IMEI) number and a secret token.

Retail POS System Compromised Through Video Security System. I have been harping on the dangers of insecure embedded systems and physical security systems posing a huge security risk for your internal network.

Recently I was talking with a Retail Point of Sale (POS) software expert and was told how a POS system was hacked by an attacker that had gained access to the network through a video security system! It is so simple now, in the name of convenience, to put various devices online by using extremely cheap embedded systems that act as web servers and remote access devices. With the rush to put everything online, called the “Internet of Things”, security is massively taking a back seat. I particularly find it hard to believe that physical security devices meant to protect your building or premises from a physical attacker are being made with old, outdated or even wide open online services that will allow an electronic attacker full access.
APT Group Hijacks Popular Domains to Mask C&C Communications: FireEye. Researchers at FireEye have examined a new campaign in which advanced persistent threat (APT) actors used some clever techniques to avoid being detected.

According to the security firm, multiple Internet infrastructure service providers in the United States and Asia, a U.S.
-based media company, and a financial institution and government organization located in Asia have been targeted in the operation dubbed "Poisoned Hurricane.
" FireEye started analyzing the group's activities in March 2014, when they spotted a PlugX (Kaba) variant that connected to legitimate domains and IP addresses. One of the samples spotted by researchers had been signed with a legitimate digital certificate from the Police Mutual Aid Association, while another sample leveraged an expired digital certificate from a company called MOCOMSYS, Inc.

The malware was set up to connect to domains such as adobe.com, update.adobe.com and outlook.com.
Backdoor Techniques in Targeted Attacks. Backdoors are an essential part of targeted attacks, as they allow an external threat actor to exercise control over any compromised machines.

These allow the threat actor to collect information and move laterally within the targeted organization. Our investigations into various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out their routines, as well as remain undetected by network administrators and security products. Over time, these techniques have evolved as more sophisticated defenses become available to network administrators. Initially, all that was needed for an attacker to connect to a compromised machine was an open TCP/IP port. However, as firewalls became more commonplace, other techniques became necessary.
‘White Label’ Money Laundering Services.

Laundering the spoils from cybercrime can be a dicey affair, fraught with unreliable middlemen and dodgy, high-priced services that take a huge cut of the action.

But large-scale cybercrime operations can avoid these snares and become much more profitable when they’re able to disguise their operations as legitimate businesses operating in the United States, and increasingly they are doing just that. The typical process of “cashing out” stolen credit card accounts. Today’s post looks at one such evolution in a type of service marketed to cybercrooks that has traditionally been perhaps the most common way that thieves overseas “cash out” cybercrimes committed against American and European businesses, banks and consumers: The reshipping of goods purchased through stolen credit cards.

In a new report released today by the U.S. Department of Homeland Security, security experts laid out how cybercriminals are using legitimate programs as the first step to break into corporate networks and compromise point-of-sale systems with malware. "Remote desktop solutions like Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me offer the convenience and efficiency of connecting to a computer from a remote location," the report notes. "Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. The malware family being used in the attacks is known as 'Backoff', and has been spotted in at least three separate breach investigations, according to the report.
Registry-infecting reboot-resisting malware has NO FILES. Boost IT visibility and business value Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files.

The malware resides in the computer registry only and is therefore not easy to detect. It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says.
Plug and PREY: Hackers reprogram USB drives to silently infect PCs. Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing. Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months analyzing the software and micro-controllers embedded in particular USB devices, and said they have found they could reliably hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and it's very, very effective.

After further investigation, Kaspersky identified two new variants of this threat, which the security firm detects as Backdoor.Linux.Mayday.g.
Service Drains Competitors’ Online Ad Budget. Attackers Bypass 2FA Systems Used by Banks in 'Operation Emmental'
2FA Systems Used by Banks Bypassed with Malware, Rogue Mobile Apps SMS-based two-factor authentication (2FA) mechanisms used by banks to secure their customers' accounts have been bypassed by cybercriminals using a combination of malware, mobile apps, rogue DNS servers, and phishing sites, according to a report published by Trend Micro on Tuesday. The security firm has been monitoring a campaign which it has dubbed "Operation Emmental," because similar to the Swiss Emmental cheese, the security systems used by financial institutions can be full of holes.
Beware Keyloggers at Hotel Business Centers. The U.S.
The Rise of Thin, Mini and Insert Skimmers. The ‘Fly’ Has Been Swatted.

Peek Inside a Professional Carding Shop. Two 14-year-old students hacked an ATM with impressive simplicity. Ne’er-Do-Well News, Volume I. Thieves Planted Malware to Hack ATMs. Infographic: How Snowden Breached the NSA. GCHQ used fake LinkedIn and Slashdot to hack GRX providers and OPEC. The GCHQ (British Government Communications Headquarters) used fake LinkedIn and Slashdot to hack Belgacom, OPEC & others GRX providers. According to the German weekly news magazine Der Spiegel the British signals intelligence spy agency has again adopted a “quantum insert” technique to target employees of two companies that are GRX (Global Roaming Exchange) providers.
Brazilian banking threatened by a malware embedded inside RTF file. Fake Twitter Followers Selling by the Thousands.